Feds fast-tracking new system for keeping tabs on cleared personnel

By
Jack Moore

Bill Henderson, president, Federal Clearance Assistance Service

More than 5 million federal employees, military service members and contractors
currently hold security clearances.

Clearance seekers must go through a thorough vetting — including having
their backgrounds pored over by investigators and agency officials — before
ultimately receiving a security clearance.

But once that access is granted, there aren't many ways for the government to
track whether a once-trusted insider — with access to sensitive government
information and facilities — has become an insider threat.

Clearance-holders are reinvestigated periodically over the years. But even those
with access to the most secret government data are only reinvestigated every five
years. Meanwhile, new questions have been raised about the government's ability to
keep tabs on cleared employees following incidents such as the National Security Agency leaks and the Navy Yard shooting.

As part of the special series Trust Redefined: Reconnecting Government and
Its Employees, Federal News Radio examines the government's plan to
use new technology to keep tabs on cleared personnel in real-time. Some experts
wonder, however, whether such a plan could be implemented successfully within the
swift timelines sought by the government.

Lag-time between reinvestigations

The number of federal employees and contractors cleared for access to classified
information continues to grow. Last year, the number of cleared personnel ticked up to more than 5 million,
according to a report from the Office of the Director of National Intelligence.

Brenda Farrell

But even as the cleared population grows, the government's policies for keeping
tabs on cleared personnel don't appear to be keeping up.

Once investigated and approved by their agency, top-secret clearance holders
— those with access to the most sensitive government data — are only
reinvestigated every five years. Secret-level clearance holders are reinvestigated
every 10 years, while confidential clearance holders are reviewed every 15 years.

The lag between periodic reinvestigations "is something to be concerned about
because that's your insider threat," said Brenda Farrell, director of Defense
Capabilities and Management at the Government Accountability Office.

Employees are directed to self-report issues that arise in the meantime, although
experts say many employees do not and there appears to be few official sanctions
for not doing so.

An independent report commissioned by the Pentagon
in the aftermath of the Navy Yard shooting, conceded that the department "gains
little to no insight into its cleared workforce" between periodic
reinvestigations.

Further, because of the budget squeeze across government, even wider gaps have
opened up.

Last year, faced with across-the-board sequestration cuts, many agencies reported
that they had temporarily stopped requesting periodic reinvestigations of their
cleared personnel, Farrell said.

A "significant backlog of overdue periodic investigations," has since piled up,
according to a recent report on security-
clearance reform efforts published by the Office of Management and Budget. As of
March, about 22 percent of top-secret clearance holders were past the five-year
due date, and their agency had yet to even request a follow-up investigation.

Is continuous evaluation the solution?

Those concerns have led the Defense Department — whose employees make up the
lion's share of cleared-employees — to begin pushing for a new approach to
tracking the millions of employees in sensitive government positions: continuous
evaluation (CE).

In addition to occasional, one-time snapshots of a person's fitness for a security
clearance, the new system — when fully deployed — would be able to
track potential warning signs in an employee's life and career "that may have them
evolve from a trusted insider to an insider threat," said Principal Deputy
Undersecretary of Defense for Intelligence Marcel Lettre in a Pentagon news briefing in March.

The new system would augment the current practice of periodic reinvestigations by
regularly pulling in automated data checks from a variety of sources —
credit checks, personnel files, even an employee's social media account — to
identify potential issues in near real-time.

Beth Cobert

There are already a few CE pilots underway within DoD.

ACES, short for Automatic Continuous Evaluation System, is able to pull data from
some 40 different government and commercial data sources. It's been under
development by the Defense Personnel and Security Research Center (PERSEREC) since
at least 2005.

When Army officials used ACES to screen a sample of about 3,370 Army service
members, civilians and contractors, it turned up previously unreported "derogatory
information" on more than 21 percent of those surveyed. Another 3 percent had
"serious" information turn up — financial issues, domestic violence or drug
abuse — which ultimately resulted in having their clearances revoked or
suspended.

The Pentagon, according to a March 2014 report,
also envisions a new insider-threat office within DoD that would be responsible
for overseeing the continuous-evaluation platform. The new office would be staffed
24 hours and would serve, according to department plans, as a "one-stop shop" to
run the system, analyze the incoming information and notify appropriate security
officials.

Implementation 'not a simple thing to do'

However, there are some big unanswered questions about the feasibility of a
broader rollout of the system.

In a 2005 hearing shortly after the Defense research agency first studied
continuous evaluation, DoD officials testified that the system could be
implemented in a year, Farrell said.

In retrospect, that now seems overly optimistic.

Continuous evaluation "sounds like a clean approach," Farrell said. "But it has a
lot of inner workings ... the leadership has got to stay involved and stay on top
of it to make sure that it's implemented."

In a speech
before a crowd of government contractors last month, Beth Cobert, the Office of
Management and Budget's deputy director for management, acknowledged the
challenges.

Bill Henderson

"The concept is the right one," she said. "The implementation needs to be done in
a precise way. And we need to be able to scale it effectively. And that's not a
simple thing to do."

In her role at OMB, Cobert been tasked with leading security-clearance reform
efforts governmentwide.

System won't be continuous — at first

As the government begins initial implementation, however, not all clearance-
holders will be reviewed by the new system nor will it be continuously running or
updating.

The Obama administration has called on the Office of the Director of National
Intelligence to expand the initial continuous-evaluation capabilities developed by
DoD to 100,000 of the "most sensitive" top-secret clearance holders across
government by this September. The administration aims to continue expanding
coverage over the next few years until it reaches all 1 million top-secret
clearance holders. But that's not scheduled to happen until 2017.

It's unclear when the system could be implemented for all 5 million clearance
holders.

Also as it stands now, the DoD system, ACES, is an on-demand tool only and "does
not have the ability to gather and present new information continuously and in
real-time," according to the Pentagon's report.

So, at least at first, DoD is only planning to run checks on the new system on an
annual basis.

"You're not down to continuous, you're at periodic," said Bill Henderson, who
spent two decades conducting background investigations for both DoD and OPM before
starting the Federal Clearance
Assistance Service.

Since the government will only run the checks about once a year, another weakness,
according to Henderson, is a continued reliance on self-reporting in the interim.

The problem is that clearance holders typically under-report issues, he said.

"There's a big disconnect there between what's really going on and what's getting
reported, Henderson said.

Evan Lesser

He cited figures he's seen indicating only about 8,000 top-secret clearance
holders — out of a total 1 million — typically file incident reports
in a given year.

However, the perception that government is keeping closer watch may prod clearance
holders to self-report, he added.

"If they put out that information to the clearance-holding population that, 'We
are going to check on you once a year,' and they don't know when that check is
going to occur, then it provides a lot of impetus to self-report rather than to
get caught," Henderson said.

Many details remain to be worked out

The sheer size of the cleared population poses challenges, said Evan Lesser, co-
founder and managing director of ClearanceJobs.com, an online clearinghouse for news and
information about the security-clearance industry. If even half of all clearance
holders — confidential, secret and top-secret — were eventually
required to be continuously evaluated, "that's a huge undertaking," he said.

And many of the details still need to be worked out.

"Nobody has come up with an understanding about which information, exactly, would
be monitored, how does it get done from a technical standpoint and then who
reviews the monitored information and makes decisions from it?" he said.

The proposal is also an expensive project at a time when Congress is looking to
tighten the federal purse strings.

"This kind of thing can't be implemented without a whole lot of funding and a
whole lot of manpower behind it," Lesser said.

Over the course of several weeks, Federal News Radio has been investigating the
security clearance process in the federal government. View more articles from our
special report, Questioning Clearances: